Provided by: Jennifer Kirschenbaum, Esq.
December 21, 2017
My office accidentally mailed a patient's billing record, which did have detailed information on it, to the wrong person. The patient is very upset. We are concerned with the reporting requirement, and how mad the patient is that maybe we should self-report; but then again, we prefer to avoid and we did notify the patient. Any feedback?
I'm assuming in my answer that you properly notified the patient of the disclosure at the time it happened, and that is how she knows the material was compromised... Knowing the patient may very well be looking to retaliate doesn't impact whether or not you have an actual duty to report. If the disclosure rises to the level of a "breach" the obligation to report is mandatory. Now, if the mailing was an isolated incident and only impacted the 1 patient, your obligation to report is by year end, not immediate. So, if the patient reported you right away, you still would have had a longer period to have self-reported than if the patient beats you to the punch. If the patient does beat you to the punch, you are at a disadvantage. OCR is definitely looking to penalize for lack of reporting and lack of compliance.
If the internal assessment (or counsel's assessment) resulted in a determination there was no "breach", make sure disclosure and mitigation efforts are documented, and possibly discuss with the patient. As always, feel free to call for assistance